10 WAYS TO SECURE YOUR AZURE ENVIRONMENT

Written on the 31 May 2023

10 WAYS TO SECURE YOUR AZURE ENVIRONMENT

 

The important things you need to know when operating in Azure

It is undoubtedly correct that the most secure data centre in the world is Bahnhof’s Pionen data centre. However, not everyone has contacts in Sweden to migrate their data to this data centre. So, what should companies do to secure their intellectual property with the latest and greatest technologies, whilst also removing the burden of running an entire data centre from their office?

The answer is Cloud Computing. Cloud computing allows businesses across the world to leverage the most advanced systems, and pay for services as they use them. Looking at cloud services for the first time can be quite daunting. With so many services that do similar tasks, how do you choose the right service? To make the right choice, it is important to truly comprehend the features they offer and to map the features that align with the results you desire. Before evaluating these services, it is important to understand the difference between Network perimeter and Identity perimeter.

Network Perimeter

Network perimeter ensures that services are only accessible from within the corporate network. While this may still require user authentication to access it, the user must be within the corporate network to access the data or application.

Identity Perimeter

Identity perimeter relies on the user’s authentication to provide access to certain resources. This means the user can be anywhere in the world and can still access their corporate data.

Now that we have a much clearer understanding of both Network perimeter and Identity perimeter, we can look at 10 ways to secure your Azure environment from both external and internal threats.

1 Multi-Factor Authentication

Multi-Factor Authentication (MFA) is what companies should consider to be the best starting point when looking into increasing their security awareness, not to mention it is the single most cost-effective method as well. MFA forces users to not only verify their identity by using their credentials, but also through a second factor that corroborates they are in fact, that user. Thus, adding a layer of protection to the sign-in process. Furthermore, this second factor authentication has multiple different implementation methods, including:

  • texts
  • calls
  • biometrics
  • one-time passcodes
  • Authenticator Application

MFA can be enabled on a ‘per-user’ basis for testing or done across the board. In addition, the core Multi-Factor Authentication process does not have any licensing requirements, but does offer little configuration options around its frequency or the criteria/restrictions in which a user has to authenticate in comparison to other licensed options.

2 Conditional Access

Conditional access ensures that a certain criteria is met before a user can access corporate data. This enforces organisational policies regarding data access both from within and from outside the corporate network. An example of a conditional access policy would be:

  • A user can only access the company SharePoint page if they are using a corporate device and they have completed a multi-factor authentication.

 

Cloud Expert Tip:To leverage Conditional Access, each user must have a minimum of an Azure Premium P1 license.

 

 Privileged Identity Management

Privileged Identity Management (PIM) ensures companies can leverage the ‘least privileged access’ principle across their entire Azure environment. This means PIM can be configured on a per-user or per-group basis to give eligible users the ability to escalate their data access privileges only when required. When users send a request for the escalation of their privileges, they must specify the amount of time they require this for, as well as the reason for their request. This request is then dependent on the PIM management group’s approval, before data access is granted to the user.

 

Cloud Expert Tip: To leverage PIM, each user must have a minimum of an Azure Premium P2 license or an EMS E5 license.

 

4 Firewall

Firewalls are network security systems that monitor and control traffic flow. Whether you are considering an Azure Native Firewall or a Network Virtual Appliance (NVA), having a Firewall is key for controlling both inbound and outbound traffic within the Azure environment. This ensures that all resources both talking to the internet and accessing the internal network, are inspected to block malicious traffic or traffic that does not meet a set criteria. Certain NVAs can be used for both advanced firewalling, as well as the undertaking of similar capabilities to the ones of the WAFs that will be mentioned in point six.

5 Network Security Group

Network security groups manage both inbound and outbound traffic for all resources that exist within a virtual corporate network. This traffic can be controlled by using the following five criteria:

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • Protocol

 

Cloud Expert Tip: Network Security Groups can be applied to both resource network interfaces or virtual network subnets. It is much easier to use fewer network security groups to allow for a single pane of glass for all inter-network traffic rules.

 

6 Web Application Firewall

A Web Application Firewall (WAF) is key for any HTTP bound public facing resources. A WAF protects both new and old applications against exploits from malicious attacks. This is achieved by applying policies that are applied to the WAF itself, which enforce custom created rules as well as rules from the Open Web Application Security Project (OWASP) which is a foundation dedicated to improving safety standards within applications. WAFs can publish one or multiple endpoints, thus giving your IT team a central place to manage all public facing HTTP applications.

7 Azure Bastion

Azure Bastion is used for remote management of Azure resources over service access mechanisms such as Windows RDP or SSH. By using the Azure backbone, and leveraging the identity and permissions of the user signed into the Azure portal, it does not require firewall rules to allow access to internal resources. Thus, this has reduced the need for services such as public facing jump box servers, which helps mitigate the public exposure of company resources.

8 Private Link

Private links are introduced for compliance purposes, and allow organisations to remove public network access from their chosen Azure Platform-as-a-Service (PaaS) resources such as databases, and instead publish them only into their internal corporate network. Private links then create a service called Private Endpoints, which creates assigned network interfaces to PaaS resources of their choice to achieve this network access lockdown.

 

Cloud Expert Tip: Private links should be enabled on new PaaS resources with care, as additional configuration is required in Azure networking and within the corporate DNS servers to ensure these new private links’ resources are accessible.

 

9 Resource Locks

Resource Locks allow Azure resources to be made inaccessible to users, so they cannot delete or modify them. Resource Locks come in the following two different levels:

  • Cannot Delete – This ensures that while a resource can be modified by users within the Azure portal, it cannot be erased.
  • Read Only – This ensures that while a resource can be viewed by users withing the Azure portal, it cannot be modified or deleted.

Resource Locks can be enabled at a single resource, resource group, or subscription level. They also force the inheritance of their level’s rules on any underlying resources. For example, if a Resource Lock is implemented at the subscription level, all underlying resources (both new and existing) will have the same restrictions applied to them.

It is important to understand that these locks only apply within the context of the Azure portal. Any changes or deletions made to files within an Azure resource will not be mitigated by resource locks. For example, a user deletes a file within an Azure Windows virtual machine that has resource locks enabled. Resource locks will not stop this change. But if a user attempts to delete the Windows virtual machine from the Azure portal, then the resource lock will stop the deletion of this Azure resource.

10 Patching

Last, but not least is Patching. Keeping your systems up-to-date with the latest patches is critical for avoiding ‘zero-date exploits’ and malicious attacks to your environment. For example, more than 80% of company breaches such as hacks, involve attacks from present software and hardware weak-points. This is where patches come in, acting as improvements to these flaws.

If you are interested in discussing your Azure environment and whether you are secure, contact us today!